# AppArmor profile for nginx web server
# Version of program profiled: 1.27.0
# Homepage: https://github.com/krathalan/apparmor-profiles
# Copyright 2020-2024 (C) krathalan; Licensed under GPLv3

abi <abi/3.0>,
include <tunables/global>

profile nginx /usr/bin/nginx {
  include if exists <local/nginx>
  include <abstractions/base>
  include <abstractions/krathalans-nameservice>

  /usr/bin/nginx r,
  /usr/share/nginx/{,**} r,

  # Misc
  /var/lib/nginx/{,**} rw,
  /run/nginx/nginx.pid rw,

  # Networking
  include <abstractions/krathalans-networking>
  capability net_bind_service,
  network netlink raw,
  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,
  /etc/letsencrypt/{,**} r,

  # Conf
  /etc/nginx/{,**} r,

  # Logs
  /var/log/nginx/{,**} rw,

  # Deny unnecessary permissions
  deny @{PROC}/cmdline r,
  deny @{PROC}/sys/kernel/osrelease r,
}
